An Coimisiún um 
Chosaint Sonrai 
Data Protection 
Commission 


RE: XX v Groupon International Limited 
DPC Ref: C-XX-X-XX 

Date: 16 December 2020 

To: XX 

To: Groupon International Limited 


This document is a decision of the Data Protection Commission (“the DPC”) regarding the complaint received by XX 
(‘the complainant”) against Groupon International Limited (“Groupon”), and pursuant to the Data Protection Act 
2018 (“the Act”) and the General Data Protection Regulation (“the GDPR”). Groupon International Limited is the 
data controller for the Groupon service and it has its main establishment in the European Union in Ireland (with an 
address at 1 Burlington Rd, Ballsbridge, Dublin 4, D04 N9W8). As such, the DPC acts as the Lead Supervisory 
Authority (LSA) for Groupon International Limited and has the power to make this decision pursuant to section 
113(2)(a) of the Act and Article 60 of the GDPR. 


The right of the complainant to bring this complaint against Groupon arises from the fact that Groupon is the 
controller of his personal data. The complainant held an account with Groupon, he made an erasure request to 
Groupon in response to which Groupon engaged with the complainant on the basis that it was the controller of his 
personal data in this instance. 


1. Overview of Complaint dated 4 June 2018 


1.1. The complainant alleges that Groupon infringed upon his rights under the GDPR by way of its requirements 
in relation to the verification of his identity before his request for erasure of personal data could be carried 
out. Specifically, he alleges that Groupon’s requirement that he provide a copy of a national identity 
document in order for Groupon to verify his identity, before it could give effect to his erasure request, 
constitutes a contravention of the GDPR. 

1.2. The complainant initially brought this alleged infringement to the attention of Groupon directly, and 
subsequently submitted a complaint, dated 4 June 2018, to his local data protection supervisory authority 
in Poland, the Office for the Protection of Personal Data. The Polish Office for the Protection of Personal 
Data uploaded the complaint onto the communication system on 29 June 2018 and the DPC accepted its 
role as LSA on 5 July 2018. Accompanying the complaint, which was received by the DPC in Polish with 
an English translation, the Office for the Protection of Personal Data provided a document containing links 
to copies of Groupon’s terms of use of its website and its privacy policy. The IMI case file was also included. 
A timeline of communications, with dates where available, between the complainant and Groupon in 
respect of this complaint, and as taken from correspondence received from both parties to this complaint, 
is provided in section 2 below. 


2. Complaint Timeline 


2.1. The complainant contacted Groupon by email to request erasure of his personal data, pursuant to Article 
17 of the GDPR, on 26 May 2018. He received an email from Groupon acknowledging receipt of his request 
on the same date. 

2.2. On the same date, the complainant received an email from a representative of Groupon, advising him that, 
in order to enable Groupon to give effect to his request, he would be required to submit a copy of a national 
ID card in order to verify his identity. Correspondence provided to the DPC from Groupon also indicates 
that the complainant received a phone call from a representative of Groupon on the same day, advising 
him of this requirement. 

2.3. The complainant replied to Groupon’s email on the same day, indicating that he was not prepared to submit 
a copy of a national ID card as he believed the requirement for same was not compliant with the GDPR. 
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On 29 May 2018, the complainant received further communication from a representative of Groupon, 
directing him towards an online portal via which he could progress his request without the submission of a 
copy of a national ID card. The complainant advises that he accessed the portal on the same date and 
followed the instructions provided to him, attaching various pieces of information that he was happy to 
provide to Groupon, but not including a copy of his ID card. 

The complainant received a further response from Groupon on 4 June 2018, to the effect that his request 
for erasure could not be progressed in the absence of a copy of a national ID card. He lodged a complaint 
with the Office for the Protection of Personal Data on the same date. 

According to correspondence received from Groupon, the complainant submitted a second request for 
deletion of personal data pursuant to Article 17 on 17 July 2019, and his personal data was deleted in 
completion of this request on 14 August 2019. 


Fair Procedures and Complaint Handling Process 


. The complainant was informed by the DPC of his rights pursuant to section 108 of the Act. 
. The complainant was provided with the opportunity to be heard by being sent regular updates in relation to 


the DPC’s investigation of the complaint. 


. Groupon was also provided with the opportunity to be heard by being notified of the complaint, and through 


the DPC’s regular engagement with it throughout the process. Groupon was also given the opportunity to 
provide submissions on a draft of this decision (see section 7 below). Groupon was also given the 
opportunity to provide additional submissions on a revised draft of this decision (see section 10 below). 
Under section 109(2) of the Act, the DPC may, where it considers that there is a reasonable likelihood of 
the parties reaching, within a reasonable time, an amicable resolution of the subject matter of the complaint, 
take such steps as it considers appropriate to arrange or facilitate such a resolution. The DPC engaged 
with both parties to attempt to achieve an amicable resolution of the complaint. However, these attempts 
were ultimately unsuccessful. 


Investigation 


. The DPC commenced an examination of the subject matter of this complaint upon receipt of same. 
4.2. 


The DPC engaged with Groupon on 1 February 2019 and, in a response to the DPC received on 11 
February 2019, Groupon confirmed that the complainant had submitted a request through the Groupon 
Privacy Portal at http://gr.on/privacy for deletion of his personal data on 29 May 2018. Groupon further 
confirmed that there was no ID attached to the request, and that on the same day it had requested that he 
provide a valid ID, in accordance with the requirements that Groupon had in place at the time. Groupon 
further confirmed that the complainant rejected this request by email dated 4 June 2018. 

In its response to the DPC, Groupon further advised that it had changed its requirements in respect of 
identity documents in October 2018. It stated: “We now to seek to authenticate an email address in order 
to ensure that the request is valid in accordance with GDPR requirements. This has replaced the 
requirement for photo ID” (correspondence from Groupon to the DPC, 11 February 2019). 

Following the failure of the DPC’s attempts to bring this matter to an amicable resolution (see paragraph 
3.3 above), the DPC advised the complainant that it would revert to him in due course to inform him of the 
outcome of the complaint. The DPC also advised Groupon, by way of email dated 29 March 2019, of the 
failure of the amicable resolution procedure. 

In this correspondence of 29 March 2019, the DPC reiterated the parameters of the complaint and set out 
further items of information it required from Groupon in order to assist it in progressing the matter. In 
particular, the DPC requested details, inter alia, of how Groupon considered it was in compliance with 
Article 5 of the GDPR and how it considered it was in compliance with Articles 12 and 17 of the GDPR. 
By way of email dated 11 April 2019, Groupon responded to the DPC’s requests in this regard, stating that 
it had processed the complainant’s personal data in compliance with Article 5 of the GDPR. In particular, 
with reference to the principle of Data Minimisation under Article 5(1)(c), it stated that the personal data 
processed was adequate, relevant and limited to the purposes for which it was processed, ie. opening and 
operating his account. 
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In relation to Articles 12 and 17 of the GDPR, Groupon stated that it was in compliance as it believed it 
was not in a position to verify the complainant’s identity, based on its requirements in place at the time. In 
the context of a request for erasure of personal data under Article 17, Article 12(6) allows a controller to 
request the provision of additional information necessary to confirm the identity of the requesting data 
subject, where it has reasonable doubts concerning his or her identity. In the case at hand, Groupon has 
not indicated or otherwise demonstrated that it had reasonable doubts as to the identity of the complainant. 
Rather, the standard procedure it had in place at the time the complainant made his request for erasure 
required submission of a copy of a national identity card by default. In circumstances where no identity 
card was required upon the opening of the account, it is not considered in any case that submission of a 
copy of a national identity card could have allayed any such concerns as to the complainant’s identity (as 
there was no pre-existing identity card held by Groupon against which a copy of a national identity card 
submitted in the context of the erasure request could have been compared). This calls into question the 
relevance and proportionality of seeking a copy of a national identity card even where reasonable doubts 
existed concerning the identity of the requester. 

Groupon also clarified that it had reviewed its procedures one month after GDPR had come into effect, 
and had determined that it was sufficient to verify ownership of the email address provided at the time the 
account was opened. It stated that this new policy was implemented on 8 October 2018. 

In its email of 11 April 2019, Groupon also indicated to the DPC that it was now in a position to delete the 
complainant’s information, if required. Groupon also expressed its apologies to the complainant for any 
inconvenience and upset the delay in effecting his request had caused. 

By way of email dated 12 April 2019, the DPC reverted to Groupon seeking certain further clarifications. 
Among other information, the DPC requested a copy of the privacy policy Groupon had in place at the time 
the complainant made his erasure request and copy of the webform available via web portal that would 
have been available to the data subject when he was directed to same subsequent to his initial request on 
26 May 2018. 

Groupon responded to the DPC by way of email dated 18 April 2019, providing a copy of the privacy policy 
it had in place on 26 May 2018 and a copy of the webform that was available to the complainant via 
Groupon’s portal on 26 May 2018. 

The DPC uploaded correspondence to the IMI on 11 July 2019 for onward transmission to the complainant 
by the Office for the Protection of Personal Data. In this correspondence, the DPC advised the complainant 
that, should he wish to proceed with the deletion of his account, it would not affect the outcome of his 
complaint. The DPC advised the complainant of Groupon’s statement, in its correspondence of 11 April 
2019, that it was now in a position to delete his personal data, and advised him that the DPC was not ina 
position to make a request for deletion for him. The DPC received no further direct correspondence from 
the complainant in response to this letter. 

Subsequently, on 22 November 2019, the DPC wrote to Groupon to seek confirmation that the 
complainant’s personal data had been deleted pursuant to his request of 26 May 2018. On 2 December 
2019, the DPC received confirmation from Groupon that the complainant’s personal data had been deleted 
on 14 August 2019, subsequent to its receipt of a second request for erasure of personal data, dated 17 
July 2019. 


Applicable Law 


Article 5(1)(c) of the GDPR states that personal data shall be “adequate, relevant and limited to what is 
necessary in relation to the purposes for which they are processed (‘data minimisation’)”. 

Article 12(2) of the GDPR states that “The controller shall facilitate the exercise of data subject rights under 
Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request 
of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller 
demonstrates that it is not in a position to identify the data subject”. 

Article 12(6) of the GDPR states that “Without prejudice to Article 11, where the controller has reasonable 
doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the 
controller may request the provision of additional information necessary to confirm the identity of the data 
subject”. 

Article 6(1) of the GDPR sets out the grounds upon which personal data may be lawfully processed. 
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Article 17(1) of the GDPR sets out the grounds upon which an individual may assert a right to erasure of 
personal data. 


6. Main Findings of Investigation 


6.1. 


6.2. 


6.3. 


6.4. 


6.5. 


6.6. 


It is noted that Groupon’s requirement that data subjects provide a copy of a national ID card in order to 
verify their identity when making a data protection request was in place for just over four months following 
the introduction of the GDPR on 25 May 2018, until 8 October 2018. 

The complainant argued that this requirement constitutes an infringement of the principle of data 
minimisation, pursuant to Article 5(1)(c) of the GDPR. For instance, the complainant stated: “In this 
application, | again pointed out that the transfer of the ID card is too far-reaching and dangerous and is not 
based on the GDPR...Deleting an account should be as easy as registering it. At registration, no ID is 
scanned, which would be excessive in my opinion in relation to the principle of minimization” (initial 
complaint by A.B. to the Office for the Protection of Personal Data, 4 June 2018). 

Groupon, for its part, asserted that it complied with the principle of data minimisation in the context of its 
initial processing of the complainant’s personal data, stating that “...the Complainant's personal data was 
adequate, relevant and limited to the purposes for which it was processed, i.e. opening and operating his 
account. The data consisted of his first name, last name, home address and email address” 
(correspondence from Groupon to the DPC, 11 April 2019). Groupon did not specifically comment on 
how its requirement for a copy of a national ID card in the context of a data subject erasure request complied 
with the principle of data minimisation’. It is, of course, this data processing that is at the heart of this 
complaint. In this case, Groupon in effect required the data subject to submit a copy of a national ID card 
in order to process his erasure request even though the provision of a copy of such data was not a 
requirement at account opening stage and, therefore, Groupon had no means to check the veracity of any 
national ID card information that the data subject may have submitted. 

Having regard to the above, the DPC determines that Groupon infringed Article 5(1)(c), by its failure to 
adhere to the principle of data minimisation. In particular, this infringement occurred when Groupon 
required submission of a copy of a national ID card in order to verify account ownership for the purposes 
of processing an erasure request, in circumstances where no such verification was obtained or required in 
order to initially open an account. It is clear that a less data-driven means of verification (namely by 
confirmation of email address) was available to Groupon, and this is reflected in Groupon’s subsequent 
change to its privacy policy post-8 October 2018, whereby the requirement to submit a copy ID was 
discontinued. 

In addition, Groupon has not demonstrated or indicated that it had reasonable doubts as to the 
complainant’s identity, such as would have justified it in requesting the provision of additional information 
to confirm his identity (in the form of a copy of a national identity card) under Article 12(6) of the GDPR. 
The fact that Groupon ultimately gave effect to the erasure request in the absence of the submission of a 
copy of a national identity card demonstrates that no such reasonable doubts concerning the identity of the 
complainant existed. As such, the request for additional identification was an infringement of Article 12(2) 
of the GDPR. 

In summary, Groupon should not have requested that the complainant provide a copy of a national identity 
card when he submitted his request for erasure of his personal data without establishing that there was a 


1 Groupon’s quoted statement here was in response to previous DPC correspondence to it that stated: “The Complainant 


contends that Groupon’s request for an identification document was contrary to Article 5 principle of “data minimisation”. He 


states that other identifiers already known to Groupon could have been used for this purpose... Please demonstrate how 


Groupon, acting as a controller in the context of its service within the EU, processed and continues to process the Complainant’s 


information in a manner that was compliant with Article 5 of the GDPR.” 
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reasonable doubt concerning his identity or whether the requested document was relevant and 
proportionate. 


7. Submissions from Groupon 


7.1. By email dated 5 March 2020, the DPC provided Groupon with a draft of this decision, and invited it to 
make any submissions that it wished the DPC to consider. 

7.2. By email of 20 March 2020, Groupon responded with its submissions in respect of the draft decision, as 
follows: 


“Amicable resolution of the Complaint 


We consider that the process that we engaged in with the DPC met the spirit of the amicable 
resolution process described in the DPC’s email of 1 February 2019, namely “working through the 
substance of the complaint and identifying a resolution”. We are surprised that the DPC considers 
that the Complaint has not been amicably resolved given that all parties now appear to be 
satisfied with the outcome: 


Mr. X now appears to be satisfied with the resolution of the Complaint. On 11 February 2019, in 
an effort to facilitate an amicable resolution, Groupon invited 

Mr. X to submit a further request for erasure of his personal data, which would not require him to 
submit a copy of his national ID card. Although Mr. [B.] did not accept this invitation at this time, 
he did submit such a further request for erasure of his personal data on 17 July 2019. Groupon 
verified Mr. X’s identity using the process it implemented on 8 October 2018, and complied with 
the request on 14 August 2019. We understand that the DPC did not receive further 
correspondence from Mr. X after 11 April 2019, which suggests that he had no further concerns 
about Groupon’s processing of his personal data. 


We had understood that the DPC also was satisfied with the resolution of the Complaint following 
Groupon’s erasure of Mr. X’s personal data and our 
process for verifying the identity of data subjects that the DPC considers satisfies the 
requirements of the GDPR. 


Accordingly, we respectfully request that the DPC consider whether it is necessary to follow the 
process described in ss. 109(4) and 113(2) of the Data Protection Act 2018 (referred to in your 
letter of 5 March 2020). 


Groupon’s reasonable doubts as to Mr. X’s identity 


Given the nature of our systems and the efforts necessary to mitigate fraud on our platform, we 
believe it is appropriate to take steps to verify a requestor’s identity beyond asking them to submit 
their full name and email address. 


In accordance with the principle of data minimisation, Groupon has always strived to collect (and 
only collected at the time of the Complaint) a limited amount of data when an individual creates a 
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Groupon account, specifically the individual’s name, email address and password. Groupon is 
mindful that data subjects’ rights are a key part of the protection of individuals’ right to data 
protection under Article 8 of the EU Charter of Fundamental Rights, and has deliberately chosen 
not to force individuals to log in to an account to exercise rights under the GDPR. This design 
choice enables all data subjects, not just those with active Groupon accounts, to exercise their 
rights. 


To verify data subjects’ identities and mitigate the risk that Groupon might disclose personal data 
relating to individual A to individual B, or might delete data related to an individual that wishes to 
continue to use their Groupon account, Groupon considers it is adequate, relevant and necessary 
to take additional steps to verify an individual’s identity (e.g., by asking for a copy of photo ID or 
conducting email address verification)”. 


In relation to Groupon’s first submission (“Amicable resolution of the Complaint”), while there can be no 
doubt that Groupon engaged with the DPC in the spirit of the amicable resolution process, the DPC does 
not accept the proposition that the complainant considered the matter amicably resolved. The 
complainant, in his correspondence to the DPC, indicated that the contrary was the case, stating in an 
email of 7 March 2019, in response to proposals put forth by Groupon by way of amicable resolution, "/ 
hereby declare, that | do not agree to process my complaint in the manner stated by Groupon...... it is 
necessary to conclude my complaint with a formal decision". The DPC advised Groupon by email dated 29 
March 2019 that amicable resolution had not been accepted by the complainant and that accordingly the 
matter would proceed in accordance with section 109(4) of the Act. 

In relation to Groupon’s second submission (“Groupon’s reasonable doubts as to Mr. X’s identity”), the 
DPC recognises that Groupon has striven to comply with the principle of data minimisation, in particular by 
way of amending its procedures since 8 October 2018 to enable data subjects who wish to make a 
request for access or erasure to verify their account ownership by way of confirming their email address. 
However, it remains the DPC’s analysis that the procedure in place between 25 May 2018 and 8 October 
2018 (whereby a requesting data subject was required to submit ID, where no such requirement for ID 
was in place at the time a data subject opened a Groupon account) constituted an infringement of 
Groupon’s obligations as a data controller under the GPDR, as outlined in section 11, below. 

The DPC has considered Groupon’s submissions fully and considers that no amendments to this decision 
are required on foot of same. 


Communication of draft decision to Concerned Supervisory Authorities (CSAs) 


On 25 May 2020, a draft of this decision was transmitted to Concerned Supervisory Authorities (CSAs) 
across the EU and EEA, pursuant to Article 60.3 of the GDPR, which provides that the LSA “...shall 
without delay submit a draft decision to the other supervisory authorities concerned for their opinion and 
take due account of their views”. 

Subsequently, the DPC received ‘relevant & reasoned objections’ from a number of CSAs, pursuant to 
Article 60.4 of the GDPR. The DPC also received a number of opinions from other CSAs. All of the 
correspondence received from CSAs in this regard is attached in full at Appendix A, and is examined in 
section 9 below. 


Analysis of relevant and reasoned objections received from CSAs 


The DPC received relevant and reasoned objections from two CSAs, namely the Berliner Beaftragte für 
Datenschutz und Informationsfreiheit (“the Berlin data protection authority”) and the UODO (“the Polish 
data protection authority”). The DPC also received opinions on the draft of this decision from the 
Comissão Nacional de Protecção de Dados (“the Portuguese data protection authority), the Datatilsynet 
(“the Danish data protection authority’), the Autoriteit Persoonsgegevens (“the Dutch data protection 
authority”), and the Garante Per La Protezione Dei Dati Personali (“the Italian data protection authority’). 
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The relevant and reasoned objections received from the Berlin data protection authority and supported by 
the Polish data protection authority included criticism of the DPC’s draft decision in that the DPC sought to 
exercise no corrective power in respect of the identified infringements of the GDPR. Both CSAs advocated 
the application of a reprimand and/or an administrative fine. In their opinions, the Danish data protection 
authority and the Italian data protection authority also advocated the application of a reprimand and/or 
administrative fine. 

The DPC has carefully considered this matter further. Having done so, on balance it considers that a 
reprimand is the appropriate corrective measure to be applied in this decision. Accordingly, the DPC has 
amended section 13 of this decision below (“Exercise of Corrective Power by the DPC”) to apply a 
reprimand to Groupon, pursuant to Article 58(2)(b) of the GDPR in respect of the infringements identified 
in this decision. 

In its comment in relation to the DPC’s draft decision, the Italian data protection authority also suggested 
that the DPC might also make an order requiring the controller to bring processing operations into 
compliance, pursuant to Article 58(2)d) of the GDPR. The DPC considers that, on balance, this measure is 
not necessary in circumstances where Groupon has already amended its procedures in relation to 
verification of identity, thereby bringing said procedures into compliance. 

The Berlin data protection authority and the Italian data protection authority also raised the matter of 
further possible contraventions that they identified. In particular, these are as follows: 


(i) an alleged infringement of Article 12(3) of the GDPR 
(ii) an alleged infringement of Article 17(1)(a) of the GDPR 
(iii) an alleged infringement of Article 6(1) of the GDPR. 


In relation to (i) an alleged infringement of Article 12(3) of the GDPR, the DPC notes the concerns of the 
CSAs and it has carefully considered the matter further. Article 12(3) provides that “The controller shall 
provide information on action taken on a request under Articles 15 to 22 to the data subject without undue 
delay and in any event within one month of receipt of the request”. The objecting CSAs argue that, by not 
so advising the complainant in this instance of any action it took in respect of his request, Groupon 
infringed Article 12(3). 

For the following reasons, the DPC does not propose to follow the objections raised by the CSAs in this 
regard. In correspondence to the DPC dated 11 April 2019, Groupon stated that “We informed the 
Complainant of our requirements clearly and in a transparent manner and that we would delete his 
information” upon receipt of a copy ID card (as was Groupon’s requirement at the time of this 
communication), and further that “We believed that we were not in a position to identify the Complainant, 
based on our identification requirements at that time”. Notwithstanding the fact that, as outlined above, the 
requirement that a data subject submit a copy national ID card has been subsequently adjudged to not be 
in compliance with the GDPR, it remains a matter of fact that this was Groupon’s requirement at the time 
of the complainant’s request. The fact that the complainant's failure to submit a copy of a national ID card 
in order to verify his identity was the reason for Groupon being, at the time, unable to comply with his 
request was clearly communicated to him without delay (as required by Article 12.4 of the GDPR), and in 
any case within one month of his request (it appears to have been initially communicated by way of a 
telephone call to the complainant by a Groupon representative on 26 May, 2018, the same day on which 
he made his request). It is very clear, in fact, from the timeline set out in paragraphs 2.1 to 2.5 above that 
having received the erasure request from the data subject Groupon contacted the data subject on 26 May, 
2018 (twice), on 29 May, 2018 and on 4 June, 2018. Those contacts, which set out Groupon’s 
requirements to the data subject, demonstrated the actions that Groupon was taking at that time in relation 
to his erasure request. 

In relation to (ii) an alleged infringement of Article 17(1)(a) of the GDPR, the DPC notes the concerns of 
the CSAs and it has carefully considered the matter further. Article 17(1)(a) provides for a right of erasure 
of personal data where “the personal data are no longer necessary in relation to the purposes for which 
they were collected or otherwise processed.” The CSAs argue that, as the complainant indicated that he 
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was no longer interested in maintaining a business relationship with Groupon, the latter’s failure to erase 
his personal data upon being requested to do so constitutes an infringement of Article 17(1)(a). 

It is the case that, upon receipt of the complainant’s request for erasure of his personal data, the data may 
have been no longer necessary in relation to the purposes for which they were collected or otherwise 
processed (namely, the performance of a contract between Groupon and the complainant — as the latter, 
by way of his request for erasure, had clearly signalled his intention to discontinue the contract). It should 
be noted in this regard that Groupon asserted that, in the absence of a copy national ID that it had 
originally requested, the continued processing of the complainant’s personal data was necessary in order 
to continue to perform the contract (in circumstances where, from Groupon’s perspective, the complainant 
had not satisfied the account verification requirements to allow the contract to be discontinued, and the 
personal data erased). 

The DPC notes that it raised with Groupon the matter of its compliance with Article 17 by way of 
correspondence dated 29 March 2019. Groupon responded by way of correspondence to the DPC dated 
11 April 2019, stating that its retention of the complainant’s personal data subsequent to the receipt of his 
request for erasure “...was necessary for us to continue to perform the contract with him and operate the 
account. We informed the Complainant of our requirements clearly and in a transparent manner and that 
we would delete his information on completion of these requirements... [Groupon] has complied with 
Articles 12 and 17 of the GDPR in relation to the Complainant's request for the erasure of his account. We 
believed that we were not in a position to identify the Complainant, based on our identification 
requirements at that time”. 

In this regard, noting the submissions made by the parties to the complaint including the views of the 
CSAs, the DPC determines that Groupon infringed the complainant’s right to erasure under Article 
17(1)(a) of the GDPR when it failed to comply with his erasure request of 26 May 2018. As outlined at 
paragraph 6.4 above, the requirement in place at the time for a requesting data subject to provide a copy 
national ID card in order to give effect to the request is adjudged to be inconsistent with the principle of 
data minimisation as set out in Article 5(1)(c) of the GDPR. As such, it was not valid for Groupon to seek 
to rely on this requirement as a basis on which not to comply with the complainant’s request for erasure of 
his personal data. The DPC accepts the arguments put forward by the CSAs on this point, and it has 
amended section 11 below (“Decision on infringements of the GDPR’”) accordingly. 

In relation to (iii) an alleged infringement of Article 6(1) of the GDPR, the DPC notes the concerns of the 
CSAs and it has carefully considered the matter further. Article 6(1) of the GDPR provides for a number of 
lawful bases upon which personal data may be processed. The objection of the CSAs in this regard is 
predicated upon the view that, between 26 May 2018 (when the complainant submitted his request for 
erasure) and 14 August 2019 (when the complainant’s personal data was deleted), Groupon continued to 
process the complainant’s personal data without a lawful basis, in contravention of Article 6(1). 

The DPC notes that it raised with Groupon the matter of its compliance with Article 6 of the GDPR by way 
of correspondence dated 29 March 2019. Groupon responded by way of correspondence to the DPC 
dated 11 April 2019, expressing the view that said processing was lawful by virtue of the necessity of the 
processing in order to continue to perform the contract between the parties (pursuant to Article 6(1)(b) of 
the GDPR). 

In this regard, and noting the submissions made the parties to the complaint including the views of the 
CSAs, the DPC determines that Groupon infringed Article 6(1) of the GDPR by continuing to process the 
complainant's personal data following receipt of his request for erasure. The complainant’s request for 
erasure was valid, and had a basis under Article 17; and Groupon’s request for verification is adjudged to 
have been inconsistent with the principle of data minimisation pursuant to Article 5(1)(c) of the GDPR, as 
outlined above at paragraph 6.4. As such, Groupon’s requirement for a copy of a national identity 
document was invalid and the request for erasure should have been complied with when received, subject 
to the complainant’s account ownership being verified. In addition, subsequent to the change of policy by 
Groupon which took effect on 8 October 2018, the complainant’s personal data could have been erased at 
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that point without a need for further action by the complainant as his email address had already been 
verified by Groupon (the complainant provided his email address to Groupon by way of his original 
emailed request for deletion of his personal data on 26 May 2018; in later correspondence to the DPC 
dated 7 March 2019, he stated: “Groupon can delete my personal data at any given time, without an 
additional verification on my part, since my e-mail address...has been already verified”). The DPC accepts 
the arguments put forward by the CSAs with regard to the lawful basis under Article 6(1) for continued 
processing of the complainant’s personal data after his request for erasure was made to Groupon. 
Therefore, the DPC has amended section 11 below (“Decision on infringements of the GDPR’) 
accordingly. 

In addition to the further alleged infringements, outlined at points (i), (ii) and (iii) of paragraph 9.5 above, 
the Berlin data protection authority has suggested a possible infringement of Article 32 of the GDPR. The 
DPC notes the concerns of the Berlin data protection authority in this regard and it has carefully 
considered the matter further. In particular, the DPC notes the Berlin authority's statement that “It must 
also be clarified by what means the complainant should submit the scan of his or her ID card, because the 
non-encrypted or only transport-encrypted sending of an ID card scan by e-mail is regularly a violation of 
Art. 32 GDPR due to the high risk of abuse”. 

For the following reasons, the DPC does not propose to follow this objection. In the course of the DPC’s 
examination of this complaint, at no stage was any prima facie evidence adduced which would suggest 
that Groupon’s obligations under Article 32 of the GDPR (to “*...implement appropriate technical and 
organisational measures to ensure of a level of security appropriate to the risk” for the rights and freedoms 
of natural persons) were not being met. In addition, an alleged infringement of Article 32 was not raised as 
a ground of complaint (although the complaint did refer in general terms to hypothetical security risks 
associated with the transmission of identity documents) and did not form part of the DPC’s complaint- 
handling process; as such, an examination of Groupon’s compliance with Article 32 falls outside the scope 
of the complaint and of this decision. 


In the Polish data protection authority’s objection to the DPC’s draft decision, it raised further possible 
contraventions of the GDPR, as follows: 


(iv) an alleged infringement of Article 17(1)(b) of the GDPR, in conjunction with Article 7(3) of 
the GDPR 

(v) an alleged infringement of Article 25 of the GDPR 

(vi) potential infringements of Articles 5(1)(e) and 5(1)(f) of the GDPR 

(vii) a potential infringement of Article 24 of the GDPR. 


In relation to (iv) an alleged infringement of Article 17(1)(b) of the GDPR, in conjunction with Article 7(3) of 
the GDPR, the DPC notes the concerns of the Polish data protection authority and it has carefully 
considered the matter further. 

For the following reasons, the DPC does not propose to follow this objection. Article 17(1)(b) of the GDPR 
provides for a right of erasure of personal data where “the data subject withdraws consent on which the 
processing is based...”. Article 7(3) of the GDPR states that “The data subject shall have the right to 
withdraw his consent at any time...it shall be as easy to withdraw as to give consent”. The right of erasure 
under Article 17(1)(b) only arises in circumstances where the processing at issue is based on data subject 
consent, pursuant to Article 6(1)(a) or Article 9(2)(a) and where there is no other legal ground for the 
processing. In addition, in relation to Article 7(3), the view of the DPC is that Article 7 of the GDPR 
(“Conditions for Consent”) by definition addresses situations where consent is the lawful basis for 
processing cited by the controller. 

In this case, Groupon has not sought to rely on data subject consent, pursuant to Article 6(1)(a) of the 
GDPR, for the processing at issue. Rather, Groupon cites Article 6(1)(b) of the GDPR (processing 
necessary for the performance of a contract) as the lawful basis for the processing. Accordingly, the 
DPC’s view is that an infringement of Article 17(1)(b) could not arise where Groupon did not rely on the 
consent of the complainant for the processing. 
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In relation to (v) an alleged infringement of Article 25 of the GDPR, the DPC notes the concerns of the 
Polish data protection authority and it has carefully considered the matter further. Article 25 of the GDPR 
provides for data protection by design and default, and requires controllers to put in place measures to 
implement data protection principles, such as data minimisation, in an effective manner. Moreover, Article 
25 requires controllers to implement appropriate technical and organisational measures to ensure that, by 
default, only personal data which are necessary for each specific purpose of the processing are 
processed. 

For the following reason, the DPC does not propose to follow this objection. In the course of the DPC’s 
examination of this complaint, an alleged infringement of Article 25 was not raised as a ground of 
complaint and did not form part of the DPC’s complaint-handling process; as such, an examination of 
Groupon’s compliance with Article 25 falls outside the scope of the complaint and of this decision. 

In relation to (vi) potential infringements of Articles 5(1)(e) and 5(1)(f) of the GDPR, the DPC notes the 
concerns of the Polish data protection authority and it has carefully considered the matter further. Article 
5(1)(e) of the GDPR provides that personal data may be kept in a form which permits identification of data 
subjects for no longer than is necessary for the purposes for which the personal data are processed; while 
Article 5(1)(f) states that personal data shall be processed in a manner that ensures appropriate security 
of the personal data. 

For the following reasons, the DPC does not propose to follow this objection. In the course of the DPC’s 
examination of this complaint, at no stage was any prima facie evidence adduced which would suggest 
that Groupon’s obligations under Articles 5(1)(e) or 5(1)(f) of the GDPR were not being met. In addition, an 
alleged infringement of Article 5(1)(e) or 5(1)(f) was not raised as a ground of complaint and did not form 
part of the DPC’s complaint-handling process; as such, an examination of Groupon’s compliance with 
these articles of the GPDR falls outside the scope of the complaint and of this decision. 

In relation to (vii) a potential infringement of Article 24 of the GDPR, the DPC notes the concerns of the 
Polish data protection authority and it has carefully considered the matter further. Article 24 of the GDPR 
provides that the controller shall put in place technical and organisational measures to ensure and be able 
to demonstrate that its processing is GDPR-compliant, taking into account the nature, scope, context and 
purposes of the processing, as well as the risks of varying likelihood and severity for the rights and 
freedoms of natural persons. In this regard, the Polish data protection authority argues that the DPC 
should examine “...whether it [Groupon] has carried out appropriate risk assessment and whether is [sic] 
able to argue why he [sic] has chosen such an intrusive form of identity verification”. 

For the following reasons, the DPC does not propose to follow this objection. Groupon amended its policy 
in relation to data subject identity verification as of 8 October 2018. As such, the DPC does not consider it 
necessary at this remove to make further inquiries from the perspective of Article 24 in relation to the 
compliance or otherwise of the identity verification policy for data subjects that Groupon had in place prior 
to 8 October 2018. In addition, an alleged infringement of Article 24 was not raised as a ground of 
complaint and did not form part of the DPC’s complaint-handling process; as such, an examination of 
Groupon’s compliance with this article of the GPDR falls outside the scope of the complaint and of this 
decision. 

In its objection to the DPC’s draft decision, the Polish data protection authority also suggested an 
infringement of Article 32(1) of the GDPR. The DPC has addressed this point at paragraphs 9.15 and 9.16 
above. 

In its objection to the DPCs draft decision, the Polish data protection authority also raised the issue of the 
complainant’s concerns regarding the security of the transmission of the copy of his national identity card, 
and about the potential risk of a data breach. The DPC notes the concern of the Polish authority in this 
regard and it has carefully considered the matter further. 

The DPC does not consider that further inquiries are warranted in this regard and it considers that, in 
circumstances where the complainant in fact did not supply a copy of his identity card, the risk of a breach 
of his personal data did not arise. In the context of the wider (now discontinued) practice of Groupon 
requesting copies of national identity cards from data subjects seeking to exercise their data protection 
rights, the DPC considers that this issue does not fall within the scope of the current complaint, especially 
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in circumstances where no prima facie evidence were adduced during the complaint handling process to 
suggest any security failings on the part of Groupon. 

In its objection to the DPC’s draft decision, the Polish data protection authority also proposes that the DPC 
should further examine whether Groupon has in fact changed its procedures in relation to the verification 
of data subject identity. The Polish authority states in this regard that “...even after the 8th October 2018 
several SAs have received complaints about controller’s [sic] identity verification procedure which 
necessitated a delivery of a copy of an identity card in this draft decision by the LSA”. The DPC notes the 
concern of the Polish authority in this regard and it has carefully considered the matter further. 

The DPC does not accept this proposal. The DPC has reviewed the active and concluded complaints 
against Groupon that it has received from other supervisory authorities in this regard, and cannot identify a 
complaint or complaints that suggest that data subjects have been required to submit a copy of a national 
identity document following the changes to Groupon’s identity verification procedures introduced in 
October 2018. In particular, while a small number of complaints in relation to Groupon’s requirement for a 
copy of a national identity document have been received by the DPC from other supervisory authorities 
post-8 October 2018, in each of these cases the initial request to Groupon and/or the initial complaint to 
the supervisory authority was made prior to 8 October 2018, ie before Groupon amended its procedures in 
this regard. The DPC is aware of one exception to this, where a complaint was received by the DPC from 
a supervisory authority regarding a request made to Groupon in 2019, in response to which the requestor 
was asked to provide a copy of a national identity card. In the course of the DPC’s examination of that 
complaint, Groupon advised that in this case a customer service operative had used an old Standard 
Operating Procedure script in error, which had contained a reference to its identity verification 
requirements in place before the change of policy on 8 October 2018. Accordingly, the DPC does not 
consider that a body of evidence exists to suggest that data subjects continued to be required by Groupon, 
as a matter of policy, to verify their identity by way of the submission of a copy of a national identity card 
after 8 October 2018. 

In its objection to the DPC’s draft decision, the Polish data protection authority also refers to a number of 
what it refers to as “clerical errors” in relation to dates referred to in the draft. In relation to the Polish 
authority’s statement that “Point 1.2. indicates that the complaint was received by the Polish supervisory 
authority on 4 June 2018, but the complaint was received by that authority on 8 June 2018”. The DPC 
notes that the complainant’s letter of complaint is dated 4 June 2018. Point 1.2 has been re-worded to 
reflect this. 

The Polish data protection authority further states that point 1.2 “...indicates that the complaint was 
transmitted to the Irish SA on 11 July 2018. Please indicate why the date indicated in the draft decision is 
11 July 2018 and not 5 July 2018 which is the date when the Irish SA accepted its role as the lead 
authority for the cross-border processing in question”. The DPC has amended the wording of point 1.2 to 
reflect the date on which the DPC accepted its role as LSA in respect of this matter. 

The Polish data protection authority further states that “In point 4.2. it is indicated that the complainant's 
request was received by the controller on 29 May 2018 instead of indicating a proper date - 26 May 2018”, 
the DPC would observe that 29 May 2018 is the date on which the complainant made a request for 
erasure of personal data through Groupon’s privacy portal (as he had been directed to do by Groupon). 
This does not contradict the fact that the complainant’s initial request was made by email on 26 May 2018, 
a fact explicitly recognised at paragraph 2.1 of this decision. As such the DPC does not consider that this 
constitutes a clerical error. 

The Dutch data protection authority, in its comment on the DPC’s draft decision, put forward the view that 
supervisory authorities are free to structure their complaint handling as they wish and that finding a breach 
of the GDPR does not automatically mean that corrective measures need be imposed. The DPC notes this 
view, and considers that no further analysis is required in this regard. 

The Portuguese data protection authority, in its comment on the DPC’s draft decision, was to the effect 
that it agreed with the DPC’s draft decision. The DPC notes this view, and considers that no further 
analysis is required in this regard. 


Submissions from Groupon on Revised Draft Decision 
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10.1. By correspondence dated 5 October 2020, the DPC forwarded the revised draft decision (incorporating its 
analysis of the relevant and reasoned objections, and opinions, received from CSAs) to Groupon and 
invited it to revert with any final submissions it wished to make. 

10.2. By email dated 13 October 2020, Groupon reverted with a number of submissions that it wished to be 
taken into account. These were as follows: 

10.3. Under the heading ‘Infringement of Data Minimisation Principle’, Groupon stated as follows: 


“Groupon notes the DPC’s finding that requesting data subjects to verify their identity by way of 
submission of a copy of a national ID document constituted an infringement of Article 5(1)(c) of 
the GDPR in the circumstances of this complaint (para 10.1 of the draft decision). 


In this connection, and in respect to the DPC’s comments in paragraph 6.3 that Groupon did not 
specifically comment on how its requirement for a copy of a national ID in this context complied 
with the data minimisation principle, Groupon’s response is as follows. Groupon’s reason for 
requesting a copy of a photo ID from the complainant was to ensure that it was reasonably 
satisfied of his identity, and in particular that Groupon had sufficient information to assess whether 
the person making the request was the individual to whom the personal data that Groupon held 
related. 


While Groupon did not have a copy of a national identity card to which a copy could be compared 
due to the limited amount of data collected when an individual creates an account (and ultimately 
in compliance with the data minimisation principle), it nevertheless requested a photo ID in order 
to be satisfied that it had robustly verified the identity of the complainant. In particular, the process 
was aimed at ensuring that the name of the complainant matched the name of the individual for 
which a Groupon account was held and that the complainant could reasonably demonstrate, by 
way of providing a photo ID, that they were the individual concerned. Had the photo ID been 
provided by the complainant, Groupon would have only used the requested information for this 
limited purpose, i.e. to confirm the complainant’s identity, and would not have taken further action 
such as adding a copy to the complainant’s Groupon account, which would have been 
subsequently deleted in any event. 


In particular, Groupon’s intention behind requesting the photo ID was not to collect excessive, 
irrelevant or unnecessary information contrary to the data minimisation principle. Groupon was 
concerned to ensure that in honouring the request to delete information in respect of the 
complainant, it did not delete data relating to an individual that wished to continue to use his or her 
Groupon account. Groupon was also particularly concerned to ensure the security of the personal 
data under its control in accordance with Article 5(1)(f) GDPR, and in an effort to mitigate the risk 
of fraud on its platform, sought to take reasonable and appropriate steps to verify the 
complainant’s identity beyond asking him to submit his name and email address. 


Ultimately ensuring compliance with the principle of data minimisation on one hand and accuracy 
and security on another in the context of erasure requests requires a delicate balancing exercise 
in practice. In order to better strike this balance, in October 2018 Groupon amended its 
procedures in relation to verification of identity and now uses an email verification technique 
whereby data subjects are sent an email to the email address provided for their Groupon Account 
that must be accessed to confirm the requestor’s identity in order to exercise the individual rights 
afforded by the GDPR. Above all, Groupon wants to reassure the DPC and CSAs that it strives to 
meet the GDPR requirements in the course of carrying out its business operations and will 
continue to do so”. 


10.4. Under the heading ‘Infringement of Article 12(2)’, Groupon stated as follows: 


“Groupon also notes the DPC’s finding that Groupon infringed Article 12(2) of the GDPR by 
requesting additional information as to the complainant’s identity at the time he made his request 
for erasure, in circumstances where it has not demonstrated that reasonable doubts existed 
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concerning the complainant’s identity that would have necessitated the application of Article 12(6) 
of the GDPR (paragraph 10.2 of the draft decision). 


In response to the DPC’s comments in paragraph 6.5 that Groupon has not demonstrated or 
indicated that it had reasonable doubts as to the complainant’s identity, Groupon would like to 
reiterate the points made above. In particular, Groupon sought additional information from the 
complainant in order to achieve an appropriate balance between ensuring that Groupon had 
robustly identified the individual to whom the request related, while also ensuring the accuracy 
and security of its platform. Groupon honoured the complainant’s request when he subsequently 
followed the email verification process as this enabled Groupon to verify account ownership and 
appropriately identify the data subject. 


10.5. Under the heading ‘Infringement of Article 17(1)(a) GDPR’, Groupon stated as follows: 


“In respect of the DPC’s finding that Groupon infringed the complainant’s right to erasure under 
Article 17(1)(a) of the GDPR, | would simply point out that the right to erasure in Article 17 is 
subject to the requirements of Article 12. Groupon did not comply with the complainant’s original 
erasure request of 26 May 2018 because Groupon believed at the time it was not in a position to 
verify the identity of the complainant, based on its identity requirements at the time. 


However, | would please urge you to note that once the complainant followed Groupon’s revised 
process to verify his identity, Groupon duly complied with his second erasure request within the 
timeframe required by Article 12 and in compliance with Article 17. Accordingly it is not entirely 
appropriate to say that Groupon’s reason for not complying with the complainant’s first erasure 
request was due to a systemic failure to meet the requirements of Article 12 and Article 17. In light 
of this, we ask the DPC to reconsider its findings in paragraph 10.3 of the draft decision”. 


10.6. Under the heading ‘Infringement of Article 6(1) GDPR’, Groupon stated as follows: 


“Groupon notes the DPC’s finding in paragraph 10.4 that Groupon continued to process the 
complainant’s personal data without a lawful basis, following its receipt from the complainant on 
26 May 2018 of a valid request for erasure of his personal data. We have set out above why in 
Groupon’s view it was justified in not handling the original request for erasure and why it 
continued to process the personal data in question and therefore we ask the DPC to reconsider its 
findings in paragraph 10.4. 


We understand that in the DPC’s opinion we may have got that balance wrong in respect of this 
particular complaint, but we trust the changes we made to our processes in October 2018 
reassure the DPA and CSAs that Groupon has taken appropriate steps to ensure that its 
processes are aligned with the requirements of the GDPR going forward and that no further action 
in this connection is necessary. Ultimately, Groupon has taken onboard all recommendations and 
adapted its compliance practices accordingly, which means that the purpose of the regulatory 
action envisaged by the GDPR has fully fulfilled its purpose”. 


10.7. The DPC has carefully considered Groupon’s submissions in relation to the finding of infringement of the 
principle of data minimisation (at point 10.3 above). In particular the DPC notes Groupon’s stated view 
that its reason for requesting a copy of a national identity card was to ensure that it was reasonably 
satisfied of the complainant’s identity, and in particular that Groupon had sufficient information to assess 
whether the person making the request was the individual to whom the personal data that Groupon held 
related. Furthermore, the DPC notes that Groupon’s intention by way of this practice was not to collect 
excessive, irrelevant or unnecessary information contrary to the data minimisation principle, and that its 
concern was to ensure that in honouring the request to delete information in respect of the complainant, it 
did not delete data relating to an individual that wished to continue to use his or her Groupon account. 
The DPC further notes that Groupon was anxious to ensure the security of the personal data under its 
control in accordance with Article 5(1)(f) GDPR, and in an effort to mitigate the risk of fraud on its 
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platform. Moreover, the DPC notes that Groupon would have only used the requested information for this 
limited purpose, i.e. to confirm the complainant’s identity, and would not have taken further action such as 
adding a copy to the complainant's Groupon account, and that the identity document would have been 
deleted in due course. 

Nonetheless, the DPC’s view remains that the procedure in place between 25 May 2018 and 8 October 
2018 (whereby a requesting data subject was required to submit ID, where no such requirement for ID 
was in place at the time a data subject opened a Groupon account) constituted an infringement of the 
principle of data minimisation, as outlined in section 11 below. This is especially so in light of the fact that 
an alternative, less data-driven means of verifying the complainant’s identity — while still meeting its other 
obligations such as ensuring the security of processing — was available to Groupon, as evinced by the 
change in its verification procedures after 8 October 2018. 

The DPC has carefully considered Groupon’s submissions in relation to the finding of infringement in 
respect of Article 12(2) of the GDPR (at point 10.4 above). In particular, the DPC notes that Groupon’s 
concern in seeking additional information (in the form of a copy of a national identity card) was to achieve 
an appropriate balance between ensuring that Groupon had robustly identified the individual to whom the 
request related, while also ensuring the accuracy and security of its platform. The DPC also notes that 
Groupon honoured the complainant's request when he subsequently followed the email verification 
process. 

This notwithstanding, the DPC maintains its position that Article 12(2) of the GDPR was infringed in 
circumstances where Groupon did not demonstrate that it had reasonable doubts concerning the 
complainant’s identity, such as would have necessitated the application of Article 12(6) of the GDPR. In 
particular, it is clear that the request for a copy of a national identity card was not made on foot of any 
specific doubt as to the complainant's identity, but rather was a result of the policy that was in place in 
Groupon at the time. 

The DPC has carefully considered Groupon’s submissions in relation to the finding of an infringement of 
Article 17(1)(a) of the GDPR (at point 10.5 above). In particular the DPC notes Groupon’s statement that 
it did not comply with the complainant's original erasure request of 26 May 2018 because Groupon 
believed at the time it was not in a position to verify the identity of the complainant, based on its identity 
requirements at the time. The DPC also notes that Groupon complied with the complainant’s second 
erasure request within the timeframe required by Article 12 and in compliance with Article 17. 

However, the DPC does not accept Groupon’s view that the above factors should lead the DPC to resile 
from its finding that an infringement of Article 17(1)(a)) occurred. The DPC maintains its position that, in 
circumstances where Groupon’s requirement for the complainant to submit a copy of a national identity 
card has been adjudged to have been non-compliant with the GDPR, and that an alternative, less data- 
driven means of verification was available to Groupon, it infringed Article 17(a) of the GDPR when it failed 
to act on the complainant's request for erasure of his personal data, on the basis that he had not provided 
a copy of a national identity card. 

The DPC has carefully considered Groupon’s submissions in relation to the finding of an infringement of 
Article 6(1) of the GDPR (at point 10.6 above). The DPC notes Groupon’s statements and, in particular, 
the DPC notes that Groupon has taken steps to ensure that its processes are aligned with the 
requirements of the GDPR going forward. The DPC further notes Groupon’s view that it was justified in 
not handling the original request for erasure and why it continued to process the personal data in 
question, for the reasons it outlines. 

This notwithstanding, the DPC maintains its position that, in circumstances where Groupon’s request for 
verification of the complainant's identity has been adjudged to have been inconsistent with the principle of 
data minimisation pursuant to Article 5(1)(c) of the GDPR (and where, as such, Groupon’s requirement 
for a copy of a national identity document was invalid) the request for erasure should have been complied 
with when received, subject to the complainant’s account ownership being verified. In addition, 
subsequent to the change of policy by Groupon which took effect on 8 October 2018, the complainant’s 
personal data could have been erased at that point without a need for further action by the complainant. 
Thus the continued processing of the complainant’s personal data following receipt of his request for 
erasure constituted an infringement of Article 6(1) of the GDPR. 


Communication of revised draft decision to CSAs 
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On 20 October 2020, a revised draft of this decision was transmitted to CSAs pursuant to Article 60.3 of 
the GDPR. 


. Subsequently, the DPC received one objection and a number of comments from CSAs in respect of the 


revised draft decision, as follows: 


. The Berlin data protection authority submitted an objection to the draft decision as revised, maintaining its 


objections to the first draft of the decision and reiterating its view that the imposition of a fine was 
warranted in the circumstances. 


. The Portuguese data protection authority submitted a comment, indicating that it did not object to the draft 


decision as revised. 


. The Polish data protection authority submitted a comment, indicating that it had nothing further to add to 


the draft decision as revised. The DPC subsequently clarified that the Polish data protection authority was 
not maintaining the objections it had raised to the initial draft, with the Polish authority stating that “We find 
that your draft decision answers all our concerns which we enlisted in the form of the RRO at the draft 
decision step. Thus, we agree that the final version of the decision can be published’. 


. On 14 December 2020, the DPC received confirmation from the Berlin data protection authority that it had 


withdrawn its objection to the draft decision as revised. 


. The correspondence from the CSAs in this regard is attached in full at Appendix B. 


Decision on infringements of the GDPR 


The DPC finds that Groupon’s requirement that the complainant verify his identity by way of submission of 
a copy of a national ID document constituted an infringement of the principle of data minimisation, pursuant 
to Article 5(1)(c) of the GDPR. This infringement occurred in circumstances where no such requirement for 
ID was in place at the time a data subject opened a Groupon account, and a less data-driven solution to the 
question of identity verification (namely by way of confirmation of email address) was available to Groupon. 
The DPC notes that this infringement continued from 25 May 2018, when the GDPR came into effect, until 
8 October 2018, when Groupon amended its privacy policy and discontinued its requirement for requesting 
data subjects to verify their identity by way of submission of a copy of a national ID document. 

The DPC finds that Groupon infringed Article 12(2) of the GDPR by requesting additional information as to 
the complainant’s identity at the time he made his request for erasure, in circumstances where it has not 
demonstrated that reasonable doubts existed concerning the complainant’s identity that would have 
necessitated that application of Article 12(6) of the GDPR. 

As outlined at point 9.11 above, following an analysis of a relevant and reasoned objection received in 
relation to the first draft of this decision, the DPC finds that Groupon infringed Article 17(1)(a) of the GDPR. 
This infringement occurred when Groupon failed to comply with the complainant’s erasure request of 26 
May 2018, in circumstances where its requirement that the complainant submit a copy of a national identity 
card is adjudged to not have been in compliance with the GDPR. 

As outlined at point 9.14 above, following an analysis of a relevant and reasoned objection received in 
relation to the first draft of this decision, the DPC finds that Groupon infringed Article 6(1) of the GDPR. This 
infringement occurred when Groupon continued to process the complainant’s personal data without a lawful 
basis, following its receipt from the complainant on 26 May,2018 of a valid request for erasure of his personal 
data. 


Remedial Measures by Groupon 


In respect of these infringements, it is noted that Groupon has taken certain remedial measures. 
Regarding the principle of data minimisation pursuant to Article 5(1)(c) of the GDPR, Groupon has 
discontinued its practice of requiring a data subject to submit a copy national ID card when making a 
request to Groupon, in order to verify their identity. Groupon now verifies a data subject’s identity by way 
of the data subject confirming their email address, and has updated its privacy policy to reflect this 
change. 
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13.2. In respect of the complainant’s request for erasure of personal data pursuant to Article 17(1) of the GDPR, 
it is noted that Groupon has erased the complainant’s personal data, albeit it did not act on the request for 
erasure made on 26 May 2018 but on the basis of a second erasure request made in July 2019. 


14. Exercise of Corrective Power by the DPC 


14.1. In light of the extent of the infringements identified above, the DPC hereby issues a reprimand to Groupon, 
pursuant to Article 58(2)(b) of the GDPR. 


PAY, 


Signed: 


Deputy Commissioner 
On behalf of the Data Protection Commission 
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Appendix A: 


Objections and opinions received from CSAs to draft decision 


1. Objection received from the Berliner Beaftragte für Datenschutz und Informationsfreiheit 


Te x |4 Berliner Beauftragte 
fir Datenschutz 


und Informationsfreiheit 


XXX.XX.X 22 June 2020 


Relevant and reasoned objection against the Draft Decision XXXXXX 


The Berlin Commissioner for Data Protection and Freedom of Information expresses a relevant and 
reasoned objection against the Draft Decision XXXXXX of the Data Protection Commission in Ireland 
(DPC) with regard to the controller Groupon International Limited (Groupon). 


1. Procedural law 


From a procedural point of view, the Berlin Commissioner for Data Protec- tion and Freedom of 
Information criticises that the DPC has taken no measures provided for in Art. 58(2) GDPR, even 
though the DPC found that there had been data protection infringements of Art. 5(1)(c), Art. 12(2) and 
(6) GDPR. 


In contrast to Directive 95/46/EC, the GDPR requires the supervisory au- thority to use its corrective 
power under Art. 58(2) GDPR in the event of data protection infringement being identified by the 
supervisory authority. In this way, the legislator wanted to contribute to the effective implementation of 
data protection provisions. Furthermore, in proceedings under Art. 77 GDPR and in contrast to the 
mere petition procedure still provided for in Directive 95/46/EC, the complainant can also expect that 
in the case of an established violation of his or her rights, a corrective power appropriate to the 
violation is exercised. 


The lead supervisory authority has indeed a discretion as to which of the measures referred to in Art. 
58(2) GDPR it takes. If - as in this case - the controller independently remedies the infringement in the 
course of the pro- ceedings, there is no need, for example, for using the measures under Art. 58(2)(c) 
or (d) GDPR. Nevertheless, the lead supervisory authority must examine whether the infringement is 
to be punishable by a fine pursuant to Art. 58(2)(i) GDPR or whether the lead supervisory authority 
leaves it at a reprimand pursuant to Art. 58(2)(b) GDPR, which is intended for cases in which - as in 
this case - an infringement has been established but is con- sidered minor. In the specific case, 
however, it must be noted that there has been a systematic violation of data subjects’ rights (see point 
3). 
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In any event, the complete waiver of exercising a corrective power consti- tutes a misuse of discretion, 
since the legal consequence chosen is not included in the options for action provided for under Art. 


2 
58(2) GDPR. 


The monitoring of Groupon as proposed by the DPC is at most one of the investigative powers 
provided for in Art. 58(1) GDPR and does not consti-tute a corrective power on the part of the 
supervisory authority under Art. 58(2) GDPR. For this reason alone, the DPC’s Draft Decision erred in 
law. However, because of the data protection infringements against Art. 5(1)(c), Art. 12(2) and (6) 
GDPR identified by the DPC, Groupon should at least be issued with a reprimand in accordance with 
Art. 58(2)(b) GDPR. This is also to be extended to the infringements of Art. 6(1), the first sentence of 
Art. 12(3) and Art. 17(1)(a) GDPR. Since there is a systematic infringement of the rights of the data 
subjects (see point 3), it must also be questioned whether a fine can actually be avoided. 


2. Substantive law 


Furthermore, the Berlin Commissioner for Data Protection and Freedom of Information criticises the 
lack of a substantive assessment of Groupon's infringements of Article 6(1), the first sentence of 
Article 12(3), and Article 17(1)(a) GDPR. 


According to the first sentence of Art. 12(3) GDPR, the controller must pro-vide the data subject with 
information on the measures taken upon request pursuant to Art. 15 to 22 GDPR without delay as a 
rule, but in any case within one month of receipt of the request. This means that the controller must 
confirm the deletion or at least state why this is not possible within the deadline. This period may 
exceptionally be extended by a further two months if this is necessary in view of the complexity and 
number of applica-tions. However, the GDPR does not provide for a routine and blanket ex-tension of 
the deadline without examining the individual case. Nor has Groupon informed the complainant of any 
extension of the deadline and the reasons for it. 


According to the "Main Findings" contained in the DPC’s Draft Decision under 6.4. and 6.5., Groupon 
has not proved or submitted any evidence that at the time of the complainant's request for erasure on 
26 May 2018 there were indeed justified doubts as to the identity of the complainant. 


Consequently, the reply to the complainant's request for erasure of 26 May 2018 was submitted late, 
on 14 August 2019. This also constitutes a viola-tion of Article 12(3) GDPR by Groupon. Since the 
complainant made it clear with the request for erasure of his account that he was no longer interested 


1 sagt 

If the complete waiver of a corrective measure were a permissible option in the case of minor infringements 
that the controller has already remedied, the institution of the reprimand would be rendered meaningless, since 
it isenvisaged precisely for such cases. 
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in any further business relationship with Groupon, his data had to be delet-ed under Article 17(1)(a) 
GDPR because the processing was no longer necessary for the purposes for which they were 
collected or otherwise pro-cessed. This was not done, so there is also a violation of Art. 17(1)(a) 
GDPR. Further, between 26 May 2018 and 14 August 2019, an unauthor-ised processing of the 
complainant's personal data took place and thus a violation of Article 6(1) GDPR, because the legal 
basis for the processing ceased to exist when the necessity for processing for the original purposes 
ceased to exist. 


Since Groupon - as it has itself submitted - has systematically and unlawful-ly requested the 
submission of an ID scan on the basis of its internal guide-lines, it must also be assumed that a large 
number of other persons are affected and will have submitted an ID scan after or at Groupon's 
request. This would constitute unauthorized processing of personal data by Groupon. Since this is an 
obvious violation that came to light in the course of the handling of the complaint, this aspect must also 
be clarified and, if necessary, sanctioned. It must also be clarified by what means the com-plainant 
should submit the scan of his or her ID card, because the non-encrypted or only transport-encrypted 
sending of an ID card scan by e-mail is regularly a violation of Art. 32 GDPR due to the high risk of 
abuse. 


3. Systematic infringement, fine 


Groupon has - as presented itself - systematically requested the ID card scan for all erasure requests 
based on its internal guidelines. This system-atically violated data subjects’ rights. As a result, 
personal data were sys-tematically processed without authorization. With the systematic denial of the 
data subjects’ right to request erasure, the substance of the corre-sponding data subject right was 
violated. 


Hence, this cannot in any way be assumed to be a minor breach because there is a considerable 
danger to the data subjects’ data protection rights, because the concerned duty to erase is affected in 
its substance and be-cause the breach indicates a systemic problem or lack of suitable proce-dures 
(all criteria in favour of the imposition of a fine, see WP253 Ill.a)). Further, the infringement was 
intentional (see WP253 III.b)). Moreover, the specific infringement was not remedied independently by 
Groupon after it had been identified, but only after the complainant had submitted a new request for 
erasure on 17 July 2019, although even this request - taking into account the fact that it was only 
processed just under a month after it had been lodged - was apparently not processed in time. 
Groupon thus did nothing to remedy the damage resulting from the complainant's loss of con-trol, but 
deliberately maintained this state of affairs even after Groupon had become aware of the unlawfulness 
of its actions and the supervisory au-thority had intervened (see WP253 Ill.c), f)). 


After all this, the imposition of a fine in this case seems to be mandatory. 
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2. Objection received from the Office of Personal Data Protection (UODO) of Poland 


REASONED AND RELEVANT OBJECTION OF THE POLISH SA 


to the draft decision no. XXXXXX.X concerning Groupon 


Polish SA expresses a relevant and reasoned objection to the draft decision no. 127084 issued by the 
Irish SA and supports the relevant and reasoned objection expressed by the Belin SA. The Polish SA 
considers that issuance of the reprimand to the controller is not sufficient by taking into account the 
findings of this procedure. An administrative fine should be imposed in addition to, or instead of a 
reprimand. 


Polish SA wishes to underline that the systemic nature of the infringement is also supported by the fact 
that the Irish supervisory authority has received a number of complaints about the controller’s behaviour 
consisting of unlawful requesting of the copy of an ID card (cases no. C-XX-XX-XXX; C-XX-XX- 
XXX; C- XX-XX-XXX; C-XX-X-XX; C-XXK-X-XXX, C-XX-X-XXX and C-XX-X-XXX) and about 
the implemented (probably also currently) mechanism for identifying data subjects through a third party 
(One Trust). The Irish SA decided to merge all these cases into two case registers — no. 47718.1 and 
112546.1. However, until now, even after establishing that the issue has a systemic nature, and even 
after receiving number of complaints, the Irish SA has not yet initiated an ex officio action against the 
controller which might seek to clarify any doubts relating to these processes. 


Polish SA wishes to indicate that the complainant in his complaint has submitted that art. 17(1)(b) GDPR 
in conjunction to art. 7(3) GDPR has been infringed. The complainant pointed out that withdrawal of 
consent should be as easy as giving it, but at the time of registration he was not required to attach a 
photograph of his identity card. Furthermore, he stated that the data requested by the controller was 
excessive. Moreover, the complainant states that the controller has not indicated why he needs to verify 
his identity and that he is afraid of a data leak which could probably even lead to taking loans or credits 
by using his data. This means that the complainant has shown that the controller may have committed, 
in addition to a breach of art. 17(1)(b) in conjunction with art. 7(3) of the GDPR, a breach of Articles 5, 
12(6) and 32(1) of the GDPR. The draft decision of the Irish SA does not analyse art. 7(3) fourth sentence 
GDPR nor does it analyse art. 32(1) GDPR. In the opinion of the Polish SA every problem identified in 
the complaint should be analysed and assessed for the existence of an infringement. 


It follows from the established facts of the case that by introducing an identity verification procedure 
consisting of attaching a copy of the identity card to every request for the exercise of data subjects’ 
rights, the controller not only unduly impeded, but even prevented the exercise of data subjects' rights 
and thus infringed art. 12(2) GDPR and 12(6) GDPR, as well as, to a high degree of probability, also 
violated the first and fourth sentences of Article 7(3) GDPR, as it appears that the controller did not 
accept the withdrawal of the complainant's consent. The execution of complainant's right to withdraw 
his consent should have been examined in detail by the LSA, but it appears from the wording of the 
draft decision that this aspect of the complaint has not been taken into account. 


The complainant was also concerned about the security of the transmission of the data in the form of 
a copy of an identity card and about the potential risk of data breach, but this problem was also not 
tackled in this draft decision by the LSA. 


The Polish SA wishes to highlight that it is still to establish whether the controller indeed resigned from 
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the verification procedure, since even after the sth October 2018 several SAs have received complaints 
about controller’s identity verification procedure which necessitated a delivery of a copy of an identity 
card and about its use of third parties to carry out this verification process. 


The LSA should also consider whether the cross-border processing described in the complaint has not 
violated or continues to violate the principles of privacy-by-design and privacy-by-default stemming 
from Article 25 of the GDPR, which are closely linked to the identified breach of the data minimisation 
principle. 


It should also be examined whether the controller has breached the principle of storage limitation 
(Article 5(1)(e)) and the principle of confidentiality and integrity (Article 5(1)(f). In addition, it should 
be examined whether the controller has acted in accordance with Article 24 of the GDPR, i.e. whether 
it has carried out appropriate risk assessment and whether is able to argue why he has chosen such an 
intrusive form of identity verification. 


The Polish SA indicates that several clerical errors can be found in the content of the draft decision. In 
point 4.2. it is indicated that the complainant's request was received by the controller on 29 May 2018 
instead of indicating a proper date - 26 May 2018. Point 1.2. indicates that the complaint was received 
by the Polish supervisory authority on 4 June 2018, but the complaint was received by that authority on 
8 June 2018. The same point indicates that the complaint was transmitted to the Irish SA on 11 July 
2018. Please indicate why the date indicated in the draft decision is 11 July 2018 and not 5 July 2018 
which is the date when the Irish SA accepted its role as the lead authority for the cross-border processing 
in question. 
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Opinion received from the Portuguese Comissão Nacional de Protecção de Dados (CNPD 


COMISSAO NACIONAL 
DE PROTECCAO DE DADOS 


23. 


24. 


25. 


26. 


OPINION/XXXX/XX 
Case XXXXXXXXXXX 
(e) 
Assessment of the CNPD 
Article 5(1)(c) of the GDPR provides that personal data must be “adequate, 
relevant and limited to what is necessary in relation to the purposes for which 


they are processed ("data minimisation“y”. 


Article 12(2) of the GDPR provides that 'the controller shall facilitate the 
exercise of data subject’s rights in accordance with Articles 15 to 22. In the 
cases referred to in Article 11(2), the controller shall not refuse to act on the 
request of the data subject for exercising his or her rights under Articles 15 to 
22, unless the controller demonstrates that it is not in a position to identify the 


data subject”. 


Article 12(6) of the GDPR provides that “[W]ithout prejudice to Article 11, where 
the controller has reasonable doubts concerning the identity of the natural 
person making the request referred to in Articles 15 to 21, the controller may 
request the provision of additional information necessary to confirm the identity 


of the data subject’. 


The controller required the data subject to submit a copy of his identity card to 
process the deletion request although the availability of such data was not a 
requirement at the account opening stage and, therefore, there was no way to 


verify later the accuracy of the information 
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27. In submitting the application for the exercise of rights — in this case of deletion 
— the data subject must identify himself strictly but does not have to provide 
more personal data than those processed by the controller at the time of the 


opening of the account. 


28. The CNPD therefore agrees with the legal classification of the infringements 
registered by the LSA: there is a violation of Articles 5(1)(c), 12(2) and (6) of 
the GDPR. 


29. However, the controller adopted, long before the Irish supervisory authority 
intervened, corrective and less intrusive measures regarding the identity 
verification procedure following which he guaranteed the data subject's right to 


erasure. 


30. In short, the right of the data subject was safeguarded and the procedures of 


the controller rectified in accordance with the GDPR. 


31. Therefore, as a supervisory authority concerned, the CNPD agrees with the 


draft decision submitted by the Irish supervisory authority. 


32. This Opinion shall be made known to the lead supervisory authority and the 


other supervisory authorities concerned. 


Lisbon, 23 June 2020 


Filipa Calvão (President) 
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4. Opinion received from the Danish Datatilsynet 


Dear colleagues, 


The Data Protection Agency agrees that the controller infringed Article 5(1)(c) and Article 
12(2) and 12(6) of the GDPR. The Danish Data Protection Agency considers that an 
infringement such as that referred to in the case should lead to a reprimand pursuant to 
Article 58(2)(b). In this context, the Danish Data Protection Agency may refer to the decision 
made by the DPA in IMI case XXXXX, which also concerned a controller's request for ID 
validation in connection with a request from the data subject. 


Kind regards 
Added by: DK - SA Denmark (Data Protection Agency) 
Added on: 23/06/2020 13:31 CEST 


5. Opinion received from the Dutch Autoriteit Persoonsgegevens 


Given some of the objecions/comments, our general comment is that -in our view- SAs are 
free to structure their complaint handling process in such way that it includes arrangements 
for amicable settlement or alternative complaint resolution, provided that they respect their 
obligations under the OSS system and their obligations with regard to informing the 
complainant, including statement of the reasons for having closed the complaint. Also, 
procedural safeguards must be in place to make sure alternative complaint handling does not 
render it too difficult to exercise the rights derived from the GDPR or foreclose ways to 
effectively address complaints via procedures in national law. 


NL SA notes that finding of a breach of the GDPR does not automatically mean that 
corrective measures must be imposed per se. It requires a case-by-case assessment to find 
an appropriate regulatory response. e.g. Where a controller already has implemented 
changes, a corrective measure may not be necessary. 


Added by: NL - SA The Netherlands (Authority for Personal Data) 
Added on: 23/06/2020 15:26 CEST 


6. Opinion received from the Italian Garante Per La Protezione Dei Dati Personali 


We would like to point out a few criticalities in respect of the draft decision submitted by the DPC, 
which in our view should be reconsidered as to its relevance and consequences. 


e First of all, it is worth underlining that the DPC has not opened an Informal consultation with 
the CSAs in order to share the outcomes of its investigation and thereby facilitate the 
achievement of consensus before submitting a formal draft decision. 

e As to the merits of the case, the DPC reports that the complainant refused the amicable 
settlement attempted and establishes that two violations of the GDPR took place in the case 
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at issue, namely concerning Article 5 (1) (c) and Article 12(2) and (6). The DPC itself notes that 
this infringement continued from 25 May 2018, when the GDPR came into effect, until 8 
October 2018, when Groupon amended its privacy policy and discontinued its requirement 
whereby data subjects had to verify their identity by way of submission of a copy of a national 
ID document. The DPC also finds that Groupon infringed Article 12(2) of the GDPR by 
requesting additional information as to the complainant’s identity at the time he made his 
request for erasure, in circumstances where it has not been demonstrated that reasonable 
doubts existed concerning the complainant’s identity such as to necessitate application of 
Article 12(6) of the GDPR. 

e In addition, as outlined by the Hessen colleagues, we would argue that Article 12 (3) and 
Article 17 GDPR were also infringed. Indeed, the reply to the complainant's request for erasure 
of 26 May 2018 was provided by Groupon belatedly, on 14 August 2019 — that is, beyond the 
term set forth by article 12(3) GDPR. Furthermore, as the complainant made it clear with the 
request for erasure of his account that he was no longer interested in any further business 
relationship with Groupon, his data had to be deleted under Article 17(1)(a) GDPR because 
the processing was no longer necessary for the purposes for which the data had been 
collected or otherwise processed. This was not done until 14 August 2019, so that between 
26 May 2018 and 14 August 2019 unauthorised processing of the complainant's personal data 
took place resulting into a violation of Article 6(1) GDPR, because the legal basis for the 
processing ceased to exist when the necessity for processing for the original purposes ceased 
to exist. 

e Inlight of the above, taking into account that the infringements at issue are considered to be 
especially serious under Article 83(5) of the GDPR, and given that these violations were not 
remedied independently by Groupon after they had been detected as the required steps were 
taken only after the complainant had submitted a new request (which is clearly evidenced by 
the report submitted by the DPC), we deem that an administrative fine is appropriate in this 
case to stigmatize the failure by such a major controller to be fully and proactively accountable 
for its data processing policies. Alternatively, we would suggest considering imposition of a 
reprimand under Article 58(2)b as a way to signal the incorrect handling of the case by the 
controller and, more generally, the lack of suitable arrangements for dealing with this and 
similar cases in terms of data protection. In either case, one might also consider whether an 
order for the adoption of specific measures should also be issued by the DPC (under Article 
58(2)d) by having regard to the organisational failure brought to light by the complaint, which 
would enable the DPC to set a specific deadline for compliance rather than envisaging the 
possibility of considering such measures ‘in future’. 


Best regards 


The Italian DPA 
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Appendix B: 


Objections and comments received from CSAs to revised draft decision 


1. Objection received from the Berliner Beaftragte für Datenschutz und Informationsfreiheit 


ce |2 Berliner Beauftragte 
| für Datenschutz 


LII] und Informationsfreiheit 


DPA Ref: XXX.XX 
DPC Ref: C-XX-X-XX 


Relevant and Reasoned Objection against the Revised Draft Decision XXXXXX 


The Berlin Commissioner for Data Protection and Freedom of Information expresses a relevant and 
reasoned objection against the Revised Draft Decision 157898 of the Data Protection Commission in 
Ireland (DPC) with regard to the controller Groupon International Limited (Groupon). 


|. However, first of all we would like to point out that in this case the issuance of a Revised Draft 
Decision is inadmissible from the outset and instead, according to Article 60(4) GDPR, the DPC has to 
initi-ate the consistency mechanism according to Article 63, 65(1)(a) GDPR. We therefore ask the 
DPC to submit the matter to the Board immediately for the following reasons. 


Il. According to Article 60(5) GDPR, the issuance of a Revised Draft Decision is permissible only in the 
case that the lead supervisory authority intends to follow all relevant and reasoned objection made. 
In its Revised Draft Decision, the DPC explicitly states that it does not intend to follow several of the 
relevant and reasoned objections made by the Berlin Commissioner for Data Protection and 
Freedom of Information and the Polish DPA. According to Article 4 No. 24 GDPR, a relevant and 
reasoned objection must relate to whether there is an infringement of the GDPR, or whether 
envisaged action in relation to the controller or processor complies with the GDPR, which is the case 
here. Hence, Article 60(4) GDPR requires the DPC being the lead supervisory authority in this case to 
submit the matter to the consistency mechanism referred to in Article 63 GDPR. 


Ill. We expressly maintain our reservations about the substance of the Draft Decision to the extent 
that the DPC has not accepted them. Further, if the DPC’s assessment of whether Groupon has not 
breached Article 12(3) GDPR were correct, there at least were a breach of Article 12(4) GDPR. 


IV. The question of whether there is an infringement of Article 32 GDPR cannot be disregarded for 
the very reason that the complainant has explicitly described the procedure used by Groupon as 
“dangerous”. It should kept in mind that a complainant is a natural person who may express 
concerns, but cannot be expected to have in-depth knowledge. Rather, it is the task of a data 
protection supervisory authority, to enforce the application of the GDPR and to protect the rights of 
the data subjects. Therefore, the lead supervisory authority is also obliged to examine and, if 
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necessary, sanction such aspects even if they are not expressly mentioned by the complainant but 
which come to light in the course of the investigation of the com-plaint, in particular if — as in the 
present case — they directly relate to the very substance of the complaint. 


V. Moreover, we state that, according to the wording of the Draft Decision, the DPC has not even 
considered the imposition of a fine, although we have shown in detail the reasons for the imposition 
of a fine. 


Hence, the question of whether the alleged infringements of the GDPR actually exist and whether a 
fine should be imposed is therefore a matter for the Board to decide. 
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2. Comment received from the Portuguese Comissão Nacional de Protecção de Dados (CNPD 


Case XXX/XXXX/XX 


CO, If! SSAONACIONAI 
OEPROTEa;AoOE DADOS 


OPINION/2020/132 


1. Pursuant to Article 60(5) of Regulation (EU) 2016/679 (General Data Protection Regulation — 
GDPR), the Irish Supervisory Authority, as the lead supervisory authority (LSA), submitted a revised 
draft decision (Case XXXXXXXXXXX) which it submitted to the supervisory authorities concerned, 
including the CNPD. 


2. This draft follows relevant and reasoned objections raised by several supervisory authorities 
concerned to the original draft decision issued in Case XXXXXXXXXXX concerning a complaint by a 
data subject against Groupon International Limited (Groupon) as controller. 


3. In the revised draft decision submitted by the LSA, it is now proposed to apply to the controller a 
corrective measure under Article 58(2)(b) of the GDPR (cf. facts of the case described in CNPD’s 
Opinion/XXXX/XxX), following a position expressed by some concerned authorities. 


4. The aim is to achieve greater consistency in the implementation of the GDPR, taking into account 
more recent decisions by several authorities, including the CNPD, in which that coherence objective 
was taken into consideration. 


5. Thus, in so far as the revised draft decision does not alter the legal classification of the registered 
infringements (cf. Articles 5(1)(c) and 12(2) and (6) of the GDPR), with which the CNPD has agreed, 
and considering that no risk to the rights, freedoms and guarantees of the data subjects arises from 
the application of a sanction (reprimand) - on the contrary, it may have a deterrent effect on 
conducts which do not fully comply with the GDPR - the CNPD does not oppose the revised draft 
decision. 


6. This opinion shall be made known to the Irish Supervisory Authority and the other supervisory 
authorities concerned. 


Lisbon, 2 November 2020 
Filipa Calvão (President) 


An Coimisiún um Chosaint Sonraí, 21 Cearnóg Mhic Liam, Baile Átha Cliath 2. 
Data Protection Commission, 21 Fitzwilliam Square, Dublin 2. 
www.cosantasonrai.ie | www.dataprotection.ie | eolas@cosantasonrai.ie | info@dataprotection.ie Tel: +353 (0)76 1104800 


An Coimisiún um 
Chosaint Sonrai 
Data Protection 
Commission 


3. Co 


mment received from the Office of Personal Data Protection (UODO) of Poland 


Comment: (en) The Polish SA does not introduce any further comments to the revised draft decision 
Added by: PL - SA Poland (Office for the Protection of Personal Data) 
Added on: 03/11/2020 18:47 CET 
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